Skip to main content

Splunk Enterprise CVE-2026-20240

| EUVDEUVD-2026-31138 MEDIUM
Improper Input Validation (CWE-20)
2026-05-20 cisco GHSA-2fmj-cw46-4vrm
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:31 vuln.today
Severity Changed
May 20, 2026 - 18:22 NVD
HIGH MEDIUM
CVSS changed
May 20, 2026 - 18:22 NVD
7.1 (HIGH) 6.5 (MEDIUM)
Patch available
May 20, 2026 - 18:02 EUVD

DescriptionCVE.org

In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause a Denial of Service by exploiting the coldToFrozen.sh script in the splunk_archiver app to rename critical Splunk directories, making the instance non-functional.<br><br>The Denial of Service is possible because of missing input validation in the coldToFrozen.sh script, which accepts arbitrary file paths and renames them without restricting operations to safe directories.

AnalysisAI

Denial of Service in Splunk Enterprise and Splunk Cloud Platform allows a low-privileged authenticated user to render the entire instance non-functional by exploiting missing input validation in the coldToFrozen.sh script bundled with the splunk_archiver app. The script accepts arbitrary file paths and renames them without restricting operations to safe directories, enabling renaming of critical Splunk system directories. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege requirement (PR:L per CVSS) makes this actionable for any authenticated non-admin user in multi-tenant or enterprise deployments. A vendor patch is available via advisory SVD-2026-0504.

Technical ContextAI

The coldToFrozen.sh shell script is part of Splunk's splunk_archiver application, which manages the data lifecycle by transitioning index buckets from cold storage to frozen (archived or deleted) states. The vulnerability is rooted in CWE-20 (Improper Input Validation): the script accepts a user-supplied file path argument and performs a rename operation on it without enforcing any path restriction or allowlist to confine operations to legitimate data directories. This means an attacker can supply an absolute path targeting critical Splunk configuration or runtime directories outside the archiver's intended scope. Affected products are confirmed via CPE strings cpe:2.3:a:splunk:splunk_enterprise and cpe:2.3:a:splunk:splunk_cloud_platform across multiple version branches. The root cause is a missing directory traversal guard in a privileged shell script executed in the context of the Splunk process, rather than a memory corruption or injection issue.

RemediationAI

Upgrade Splunk Enterprise to the patched releases: 9.3.12, 9.4.11, 10.0.5, or 10.2.2 depending on the branch in use. Splunk Cloud Platform customers should ensure their instances are running 9.3.2411.129, 10.0.2503.13, 10.1.2507.21, 10.2.2510.11, 10.3.2512.9, or 10.4.2603.1 or later. Vendor patch is confirmed available via Splunk advisory SVD-2026-0504 at https://advisory.splunk.com/advisories/SVD-2026-0504. If immediate patching is not feasible, a compensating control is to revoke access to the splunk_archiver app for all non-administrative users - this restricts which users can invoke the coldToFrozen.sh script, though it may impact legitimate archiving workflows. Additionally, consider restricting Splunk role assignments so that only trusted users hold any Splunk account, reducing the population of potential attackers. Note that these workarounds do not eliminate the underlying vulnerability and patching remains the definitive fix.

More in Splunk

View all
CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2024-36985 HIGH POC
8.8 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or powe

CVE-2023-46214 HIGH POC
8.8 Nov 16

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la

CVE-2023-32707 HIGH POC
8.8 Jun 01

In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100,

CVE-2022-43571 HIGH POC
8.8 Nov 03

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through t

CVE-2022-43567 HIGH POC
8.8 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system c

CVE-2023-22934 HIGH POC
8.0 Feb 14

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets

CVE-2022-43566 HIGH POC
8.0 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more

CVE-2024-36991 HIGH POC
7.5 Jul 01

In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on t

CVE-2024-36990 MEDIUM POC
6.5 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an a

CVE-2017-17067 CRITICAL
9.8 Nov 30

Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and

CVE-2013-6771 CRITICAL
9.3 Aug 07

Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitr

Share

CVE-2026-20240 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy